Thomas Kostal

Name of the Vulnerable Software and Affected Versions: Cyberduck versions through 9.1.6 Mountain Duck versions through 4.17.5 Description: The issue is related to improper handling of TLS certificate pinning for untrusted certificates, such as self-signed certificates, in Cyberduck and Mountain Duck. The certificate fingerprint is stored as SHA-1, which is considered weak. Recommendations: For Cyberduck versions through 9.1.6, consider updating to a version that properly handles TLS certificate pinning. For Mountain Duck versions through 4.17.5, consider updating to a version that properly handles TLS certificate pinning. As a temporary workaround, consider disabling the use of SHA-1 for certificate fingerprints in both Cyberduck and Mountain Duck until a patch is available.

Name of the Vulnerable Software and Affected Versions: Cyberduck versions prior to 9.1.7 Mountain Duck versions prior to 4.17.6 Description: The issue concerns improper handling of TLS certificate pinning for untrusted certificates, such as self-signed ones. This results in the unnecessary installation of these certificates to the Windows Certificate Store of the current user without any restrictions. Recommendations: For Cyberduck versions prior to 9.1.7, update to version 9.1.7 or later to resolve the issue. For Mountain Duck versions prior to 4.17.6, update to version 4.17.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the certificate installation process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vtiger CRM version 7.4.0 **Description** A stored cross-site scripting (XSS) issue was found in the e-mail template modules. This allows for malicious scripts to be stored and executed when the module is accessed. **Recommendations** For Vtiger CRM version 7.4.0, consider disabling the e-mail template modules until a patch is available to prevent potential exploitation of the stored XSS issue.